US10394698B2 - Javascript path enumeration - Google Patents

Javascript path enumeration Download PDF

Info

Publication number
US10394698B2
US10394698B2 US15/686,388 US201715686388A US10394698B2 US 10394698 B2 US10394698 B2 US 10394698B2 US 201715686388 A US201715686388 A US 201715686388A US 10394698 B2 US10394698 B2 US 10394698B2
Authority
US
United States
Prior art keywords
branch
path
dom
processor
javascript code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/686,388
Other versions
US20180074943A1 (en
Inventor
Kevin Allen Williams
Steve Alan Millar
Stephen Daniel Hardeman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Micro Focus LLC
Original Assignee
EntIT Software LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EntIT Software LLC filed Critical EntIT Software LLC
Assigned to HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP reassignment HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WILLIAMS, Kevin Allen, HARDEMAN, Stephen Daniel, MILLAR, Steve Alan
Priority to US15/686,388 priority Critical patent/US10394698B2/en
Assigned to ENTIT SOFTWARE LLC reassignment ENTIT SOFTWARE LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Publication of US20180074943A1 publication Critical patent/US20180074943A1/en
Assigned to MICRO FOCUS LLC reassignment MICRO FOCUS LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: ENTIT SOFTWARE LLC
Publication of US10394698B2 publication Critical patent/US10394698B2/en
Application granted granted Critical
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY AGREEMENT Assignors: BORLAND SOFTWARE CORPORATION, MICRO FOCUS (US), INC., MICRO FOCUS LLC, MICRO FOCUS SOFTWARE INC., NETIQ CORPORATION
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY AGREEMENT Assignors: BORLAND SOFTWARE CORPORATION, MICRO FOCUS (US), INC., MICRO FOCUS LLC, MICRO FOCUS SOFTWARE INC., NETIQ CORPORATION
Assigned to MICRO FOCUS LLC, NETIQ CORPORATION, MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.) reassignment MICRO FOCUS LLC RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522 Assignors: JPMORGAN CHASE BANK, N.A.
Assigned to MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), NETIQ CORPORATION, MICRO FOCUS LLC reassignment MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.) RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041 Assignors: JPMORGAN CHASE BANK, N.A.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3676Test management for coverage analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • Web pages/applications may be tested to ensure for sources of exploitable vulnerabilities.
  • One source of these vulnerabilities may be executable JavaScript code. Because these applications are often large, complex and interconnected with web services, JavaScript analysis may be performed to expose attackable entry points.
  • FIG. 1 is a block diagram of an example environment for JavaScript path enumeration
  • FIG. 2 is a flowchart of an example method for JavaScript path enumeration
  • FIG. 3 is a flowchart of another example method for document object model adjustment and enumeration
  • FIG. 4 is a flowchart of an example method for JavaScript path enumeration.
  • FIG. 5 is a block diagram of an example system for JavaScript path enumeration.
  • a web page in a browser may execute JavaScript code and react to timer events, live user events (such as keypresses and mouse clicks), etc.
  • the resultant call chains and code flows may constitute a set of allowed or intended execution.
  • the code may follow the path dictated by current program states. It may run the “if” or the “else” but not both.
  • This normal code flow is correct program operation, but may not include possible attack points from malicious actors. Correct browser execution, however, may not be a constraint for these actors. Malicious actors may analyze source code and make inferences about how the code interacts with the web server to determine unintended execution of the JavaScript code. An example is the same “if-else” mentioned above. Intended execution of the browser may dictate that the “if” path is to be taken in a certain context. This intended path may be referred to as a “normal” path. Both code paths, however, may contain an AJAX network call to the server and this AJAX call may be an entry point that could be exploited.
  • Javascript path enumeration techniques described herein may be useful for automatically exploring these dark paths that would not happen during normal browser operation but which could be used as an attack point by an intruder if the dark paths were executed.
  • An example method for JavaScript path enumeration may include receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code and enumerating a branching path in the JavaScript code. The method may include determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code. The method may also include generating an artificial condition for the branch and executing the branch using the artificial condition.
  • FIG. 1 is a block diagram of an example environment 100 in which JavaScript path enumeration may be useful.
  • Environment 100 may include a stack 102 with a document object model 104 , an execution engine 106 and a browser 108 .
  • a document object model (DOM) 104 is an internal representation of the Hyper Text Markup Language (HTML) page structure, i.e., it is a tree structure that mirrors the web page.
  • the initial page may come from a web server and may be rendered into a browser as HTML and other code, such as JavaScript (JS) code, which may execute after the HTML page loads.
  • JS JavaScript
  • Once rendered, the page may be interacted with (for example by clicks, keypresses, and timer events, etc.) causing the page to change.
  • These interactions may cause changes the DOM 104 to in the form of additions to the DOM, deletions from the DOM, alterations of the DOM, etc.
  • These changes to the DOM may be referred to as “DOM
  • the execution engine 106 may execute the code from the HTML page structure.
  • execution engine 106 may be a JavaScript engine that executes JavaScript code.
  • the browser 108 may be used to interpret the HTML page structure and executable code that is represented by the DOM 104 .
  • the browser 108 may be a “headless” browser that emulates a human operator and also internally tracks DOM state changes.
  • the headless browser may make calls to a server using the Asynchronous JavaScript and XML protocol (AJAX).
  • AJAX Asynchronous JavaScript and XML protocol
  • the headless browser may emulate how a traditional browser acts but may not render a graphical user interface (GUI). By not rendering a GUI, environment 100 may increase the speed of a security scan/analysis.
  • the browser 108 may also have access to certain values and actions that are prohibited and/or hidden by a traditional browser.
  • Environment 100 may also include a processor 110 and a memory 112 that may be coupled to each other through a communication link (e.g., a bus).
  • Processor 110 may include a Central Processing Unit (CPU) or another suitable hardware processor.
  • memory 112 stores machine readable instructions executed by processor 110 .
  • Memory 112 may include any suitable combination of volatile and/or non-volatile memory, such as combinations of Random Access Memory (RAM), Read-Only Memory (ROM), flash memory, and/or other suitable memory.
  • Memory 112 may also include a random access non-volatile memory that can retain content when the power is off.
  • Memory 112 may store instructions to be executed by processor 110 including instructions for implementing code receiver 114 , branch enumerator 116 , branch determiner 118 , value generator 120 , branch executor 122 and/or other components. Furthermore, in FIG. 1 and other Figures described herein, different numbers of components or entities than depicted may be used.
  • Processor 110 may execute instructions of code receiver 114 to receive code corresponding to an HTML page structure. An initial Document Object Model (DOM) may also be received and/or created corresponding to an HTML page structure. Processor 110 may execute instructions of branch enumerator 116 to enumerate a plurality of branching paths of the executable JavaScript code included in the HTML page structure. Processor 110 may execute instructions of branch determiner 118 to determine, for each branching path in the plurality, whether any branches of the branching path are not intended to execute during runtime conditions. The plurality of branching paths may include “normal” paths that are intended to be executed during runtime conditions of a browser executing the JavaScript code. The plurality of branching paths may also include “dark” paths that are not intended to be executed during runtime conditions of the browser executing the JavaScript code.
  • DOM Document Object Model
  • the dark paths may include a value that would prevent the branch from executing during correct browser execution.
  • the JavaScript code may include a hard-coded variable with a false value and an “if/else” statement that branches to “else” based on that value. Accordingly, the “else” path is the normal path and the “if” path is the dark path.
  • the JavaScript code should take this normal path regardless of user input or other runtime conditions.
  • a malicious actor may use the dark path as an attack point.
  • Dark paths may contain code that has runtime effects on the DOM. Potentially, these code paths can also emit AJAX calls to the server.
  • Branch determiner may determine a break point during executing the branch using the artificial condition, where the JavaScript code interacts with a web server and/or makes an AJAX call.
  • the branch determiner 118 may determine that the first branch corresponds to a hard coded value (in this case the “false” value mentioned above) in the HTML page structure and determine that the first branch has a value other than the hard coded value. In some aspects, the branch determiner 118 may determine that the first branching path has two possible branches and that a first possible branch of the two possible branches is not intended to execute during runtime conditions. The branch determiner 118 may identify the first possible branch as a dark path.
  • code receiver 114 may receive JavaScript code with a plurality of branch paths.
  • Branch enumerator 116 may enumerate each branch of the plurality of branching paths in the JavaScript code.
  • Branch determiner 118 may determine, for each branch, whether the branching path would execute during normal operation of a browser executing the JavaScript code.
  • Branch determiner 118 may flag each branch of the branching path that would execute during normal operation as a normal path and flag each branch of the branching path that would not execute during normal operation as a dark path.
  • Processor 110 may execute instructions of value generator 120 to generate, for each branch not intended to be executed during runtime conditions, an unintended value for the branch.
  • the unintended value generated by value generator 120 may be a “true” value that cause the if/else statement to branch to “if” based on the value.
  • Processor 110 may execute instructions of branch executor 122 to execute a first branch not intended to be executed during runtime conditions using the unintended value.
  • Branch executor 122 may also execute branches that are intended to be executed during runtime conditions using the intended value.
  • Branch executor 122 may execute both normal and/or dark paths using the actual JavaScript code representing the actual client side source code, but using artificial runtime conditions. In this manner, adjustments to the DOM, AJAX calls and subsequent JS mutations may be recorded and analyzed. In JavaScript, the code can change itself and thereby lead to more correct paths and more dark paths.
  • Branch executor 122 may execute branches using the browser 108 .
  • the browser 108 may be a headless browser that emulates functionality of a browser without generating a graphic user interface.
  • the browser 108 may also include a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment.
  • Branch executor 122 may execute branches using the unintended value in a plurality of operational modes.
  • the DOM may be adjusted based on the execution of the branch using the unintended value. The adjustment of the DOM is discussed in further detail below, in reference to FIG. 3 and method 300 .
  • FIG. 2 is a flowchart of an example method 200 for JavaScript path enumeration.
  • Method 200 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1 , or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well.
  • Method 200 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system.
  • the processor may include a Central Processing Unit (CPU) or another suitable hardware processor.
  • the machine-readable storage medium may be non-transitory.
  • Method 200 may be implemented in the form of electronic circuitry (e.g., hardware).
  • At least one block of method 200 may be executed substantially concurrently or in a different order than shown in FIG. 2 .
  • Method 200 may include more or less blocks than are shown in FIG. 2 . Some of the blocks of method 200 may, at certain times, be ongoing and/or may repeat.
  • Method 200 may start at block 202 and continue to block 204 , where the method may include receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code.
  • the method may include enumerating a branching path in the JavaScript code.
  • the method may include determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code.
  • determining a branch of the branching path that would not execute during normal operation may include identifying a first branch of the branching path corresponding to a hard coded value in the HTML page structure and determining that the branch of the branching path that would not execute during normal operation of a browser executing the JavaScript corresponds to a value other than the hard coded value.
  • determining a branch of the branching path that would not execute during normal operation may include determining that the branching path has two possible branches, determining that a first branch of the possible branches would not execute during normal operation of a browser executing the JavaScript code and identifying the first branch as a dark path.
  • the method may include generating an artificial condition for the branch and at block 212 , the method may include executing the branch using the artificial condition.
  • the execution may be performed by a headless browser that emulates functionality of a browser without generating a graphic user interface.
  • the browser may a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment.
  • the branch may be executed in the plurality of operational modes.
  • Method 200 may eventually continue to block 214 , where method 200 may stop.
  • FIG. 3 is a flowchart of an example method 300 for DOM tracking and adjustment.
  • Method 300 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1 , or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well.
  • Method 300 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system.
  • the processor may include a Central Processing Unit (CPU) or another suitable hardware processor.
  • the machine-readable storage medium may be non-transitory.
  • Method 300 may be implemented in the form of electronic circuitry (e.g., hardware). At least one block of method 300 may be executed substantially concurrently or in a different order than shown in FIG. 3 .
  • Method 300 may include more or less blocks than are shown in FIG. 3 . Some of the blocks of method 300 may, at certain times, be ongoing and/or may repeat.
  • Method 300 may start at block 302 and continue to block 304 , where the method 300 may include receiving an initial DOM corresponding to an html page structure and a plurality of executable JavaScript code.
  • the HTML page structure and plurality of executable JavaScript code may be related to or the same as the HTML page structure and plurality of executable JavaScript code discussed in block 202 above in reference to method 200 and FIG. 2 .
  • the method may include adjusting the initial DOM based on an artificial condition for the branch (such as the artificial condition in block 210 of method 200 in FIG. 2 ).
  • the method may include tracking state changes to the initial DOM by recording adjustments made to the DOM. Tracking state changes may include tracking the adjustment to the initial DOM based on executing the branch using the artificial condition.
  • the method may include restoring the initial DOM. By restoring the initial DOM, the DOM can then be adjusted based on a different branch. In this manner, the method 300 may simulate the different possible branches that can be created.
  • the method may include determining a second branch of the branching path that would execute during normal operation of a browser executing the JavaScript code.
  • the method may include adjusting the initial DOM based on the second branch.
  • Method 300 may eventually continue to block 316 , where method 300 may stop.
  • FIG. 4 is a flowchart of an example method 400 for JavaScript path enumeration.
  • Method 400 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1 , or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well.
  • Method 400 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system.
  • the processor may include a Central Processing Unit (CPU) or another suitable hardware processor.
  • the machine-readable storage medium may be non-transitory.
  • Method 400 may be implemented in the form of electronic circuitry (e.g., hardware).
  • At least one block of method 400 may be executed substantially concurrently or in a different order than shown in FIG. 4 .
  • Method 400 may include more or less blocks than are shown in FIG. 4 . Some of the blocks of method 400 may, at certain times, be ongoing and/or may repeat.
  • Method 400 may start at block 402 and continue to block 404 , where the method 400 may include determining a plurality of branching paths in the JavaScript code.
  • the method may include enumerating each branch of the plurality of branching paths in the JavaScript code.
  • the method may include determining, for each branch, whether the branching path that would not execute during normal operation of a browser executing the JavaScript code. If it is determined that a branch would execute during normal operation of the browser (YES branch of block 408 ), at block 410 the method may include flagging each branch of the branching path that would execute during normal operation as a normal path.
  • the method may include flagging each branch of the branching path that would not execute during normal operation as a dark path.
  • Method 400 may eventually continue to block 414 , where method 400 may stop.
  • method 400 may determine the paths that would not be taken during normal execution of the browser, as described above, and may also determine unknown normal paths as well. For example, there may be a path that is intended to occur, but may rarely happen due to the inputs required. Since every possible input and path may not be known, enumerating each branch in the plurality may allow for the identification and execution of each branching path in the JavaScript code.
  • FIG. 5 is a block diagram of an example system 500 for JavaScript path enumeration.
  • System 500 may be similar to environment 100 of FIG. 1 , for example.
  • system 500 includes a processor 502 and a machine-readable storage medium 504 .
  • the following descriptions refer to a single processor and a single machine-readable storage medium, the descriptions may also apply to a system with multiple processors and multiple machine-readable storage mediums.
  • the instructions may be distributed (e.g., stored) across multiple machine-readable storage mediums and the instructions may be distributed (e.g., executed by) across multiple processors.
  • Processor 502 may be at least one central processing unit (CPU), microprocessor, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 504 .
  • processor 502 may fetch, decode, and execute instructions 506 , 508 , 510 , 512 and 514 to perform JavaScript path enumeration.
  • Processor 502 may include at least one electronic circuit comprising a number of electronic components for performing the functionality of at least one of the instructions in machine-readable storage medium 504 .
  • executable instruction representations e.g., boxes
  • executable instructions and/or electronic circuits included within one box may be included in a different box shown in the figures or in a different box not shown.
  • Machine-readable storage medium 504 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions.
  • machine-readable storage medium 504 may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, and the like.
  • Machine-readable storage medium 504 may be disposed within system 500 , as shown in FIG. 5 . In this situation, the executable instructions may be “installed” on the system 500 .
  • Machine-readable storage medium 504 may be a portable, external or remote storage medium, for example, that allows system 500 to download the instructions from the portable/external/remote storage medium. In this situation, the executable instructions may be part of an “installation package”.
  • machine-readable storage medium 504 may be encoded with executable instructions for context aware data backup.
  • the machine-readable storage medium may be non-transitory.
  • page request instructions 506 when executed by a processor (e.g., 502 ), may cause system 500 to request an HTML page structure including executable JavaScript code.
  • DOM create instructions 508 when executed by a processor (e.g., 502 ), may cause system 500 to create a document object model (DOM) with a plurality of branch paths of executions of the executable JavaScript code.
  • Path determine instructions 510 when executed by a processor (e.g., 502 ), may cause system 500 to determine a branching path, belonging to the plurality, with a value that would prevent at least one branch of the branching path to execute during correct browser execution.
  • Value replace instructions 512 when executed by a processor (e.g., 502 ), may cause system 500 to replace the value with a second value.
  • determining a branching path with a value that would prevent at least one branch of the branching path to execute during correct browser execution may include identifying a branch of the branching path corresponding to a hard coded value in the HTML page structure and determining that the branch of the branching path that would not execute during normal operation of a browser executing the JavaScript corresponds to a value other than the hard coded value.
  • determining a branching path with a value that would prevent at least one branch of the branching path to execute during correct browser execution may include determining that the branching path has two possible branches, determining that a first branch of the possible branches would not execute during normal operation of a browser executing the JavaScript code, identifying a value corresponding to the first branch and identifying the first branch as a dark path.
  • Branch execute instructions 514 when executed by a processor (e.g., 502 ), may cause system 500 to execute the branch using the second value.
  • the execution may be performed by a headless browser that emulates functionality of a browser without generating a graphic user interface.
  • the browser may a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment.
  • the DOM may be adjusted based on the second value.
  • the foregoing disclosure describes a number of examples for JavaScript path enumeration.
  • the disclosed examples may include systems, devices, computer-readable storage media, and methods for JavaScript path enumeration.
  • certain examples are described with reference to the components illustrated in FIGS. 1-5 .
  • the functionality of the illustrated components may overlap, however, and may be present in a fewer or greater number of elements and components. Further, all or part of the functionality of illustrated elements may co-exist or be distributed among several geographically dispersed locations. Further, the disclosed examples may be implemented in various environments and are not limited to the illustrated examples.
  • sequence of operations described in connection with FIGS. 1-5 are examples and are not intended to be limiting. Additional or fewer operations or combinations of operations may be used or may vary without departing from the scope of the disclosed examples. Furthermore, implementations consistent with the disclosed examples need not perform the sequence of operations in any particular order. Thus, the present disclosure merely sets forth possible examples of implementations, and many variations and modifications may be made to the described examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

In one example in accordance with the present disclosure, a method may include receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code and enumerating a branching path in the JavaScript code. The method may include determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code. The method may also include generating an artificial condition for the branch and executing the branch using the artificial condition.

Description

CROSS REFERENCE TO RELATED APPLICATION
This application claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Application Ser. No. 62/385,540, filed Sep. 9, 2016, which is hereby incorporated by reference.
BACKGROUND
Web pages/applications may be tested to ensure for sources of exploitable vulnerabilities. One source of these vulnerabilities may be executable JavaScript code. Because these applications are often large, complex and interconnected with web services, JavaScript analysis may be performed to expose attackable entry points.
BRIEF DESCRIPTION OF THE DRAWINGS
The following detailed description references the drawings, wherein:
FIG. 1 is a block diagram of an example environment for JavaScript path enumeration;
FIG. 2 is a flowchart of an example method for JavaScript path enumeration;
FIG. 3 is a flowchart of another example method for document object model adjustment and enumeration;
FIG. 4 is a flowchart of an example method for JavaScript path enumeration; and
FIG. 5 is a block diagram of an example system for JavaScript path enumeration.
 DETAILED DESCRIPTION
During normal operation, a web page in a browser may execute JavaScript code and react to timer events, live user events (such as keypresses and mouse clicks), etc. The resultant call chains and code flows may constitute a set of allowed or intended execution. As an example, for an “if-else” branching path in the JavaScript code, the code may follow the path dictated by current program states. It may run the “if” or the “else” but not both.
This normal code flow is correct program operation, but may not include possible attack points from malicious actors. Correct browser execution, however, may not be a constraint for these actors. Malicious actors may analyze source code and make inferences about how the code interacts with the web server to determine unintended execution of the JavaScript code. An example is the same “if-else” mentioned above. Intended execution of the browser may dictate that the “if” path is to be taken in a certain context. This intended path may be referred to as a “normal” path. Both code paths, however, may contain an AJAX network call to the server and this AJAX call may be an entry point that could be exploited. A skilled attacker could modify the set of attacks to try by following the unintended path and craft the network request that would have occurred if the code went down the “else” instead of the “if” path. This unintended path may be referred to as a “dark path.”
Javascript path enumeration techniques described herein may be useful for automatically exploring these dark paths that would not happen during normal browser operation but which could be used as an attack point by an intruder if the dark paths were executed. An example method for JavaScript path enumeration may include receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code and enumerating a branching path in the JavaScript code. The method may include determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code. The method may also include generating an artificial condition for the branch and executing the branch using the artificial condition.
FIG. 1 is a block diagram of an example environment 100 in which JavaScript path enumeration may be useful. Environment 100 may include a stack 102 with a document object model 104, an execution engine 106 and a browser 108. A document object model (DOM) 104 is an internal representation of the Hyper Text Markup Language (HTML) page structure, i.e., it is a tree structure that mirrors the web page. The initial page may come from a web server and may be rendered into a browser as HTML and other code, such as JavaScript (JS) code, which may execute after the HTML page loads. Once rendered, the page may be interacted with (for example by clicks, keypresses, and timer events, etc.) causing the page to change. These interactions may cause changes the DOM 104 to in the form of additions to the DOM, deletions from the DOM, alterations of the DOM, etc. These changes to the DOM may be referred to as “DOM mutations.”
The execution engine 106 may execute the code from the HTML page structure. For example, execution engine 106 may be a JavaScript engine that executes JavaScript code. The browser 108 may be used to interpret the HTML page structure and executable code that is represented by the DOM 104. In some aspects, the browser 108 may be a “headless” browser that emulates a human operator and also internally tracks DOM state changes. The headless browser may make calls to a server using the Asynchronous JavaScript and XML protocol (AJAX). The headless browser may emulate how a traditional browser acts but may not render a graphical user interface (GUI). By not rendering a GUI, environment 100 may increase the speed of a security scan/analysis. The browser 108 may also have access to certain values and actions that are prohibited and/or hidden by a traditional browser.
Environment 100 may also include a processor 110 and a memory 112 that may be coupled to each other through a communication link (e.g., a bus). Processor 110 may include a Central Processing Unit (CPU) or another suitable hardware processor. In some examples, memory 112 stores machine readable instructions executed by processor 110. Memory 112 may include any suitable combination of volatile and/or non-volatile memory, such as combinations of Random Access Memory (RAM), Read-Only Memory (ROM), flash memory, and/or other suitable memory. Memory 112 may also include a random access non-volatile memory that can retain content when the power is off.
Memory 112 may store instructions to be executed by processor 110 including instructions for implementing code receiver 114, branch enumerator 116, branch determiner 118, value generator 120, branch executor 122 and/or other components. Furthermore, in FIG. 1 and other Figures described herein, different numbers of components or entities than depicted may be used.
Processor 110 may execute instructions of code receiver 114 to receive code corresponding to an HTML page structure. An initial Document Object Model (DOM) may also be received and/or created corresponding to an HTML page structure. Processor 110 may execute instructions of branch enumerator 116 to enumerate a plurality of branching paths of the executable JavaScript code included in the HTML page structure. Processor 110 may execute instructions of branch determiner 118 to determine, for each branching path in the plurality, whether any branches of the branching path are not intended to execute during runtime conditions. The plurality of branching paths may include “normal” paths that are intended to be executed during runtime conditions of a browser executing the JavaScript code. The plurality of branching paths may also include “dark” paths that are not intended to be executed during runtime conditions of the browser executing the JavaScript code.
In some aspects the dark paths may include a value that would prevent the branch from executing during correct browser execution. For example, the JavaScript code may include a hard-coded variable with a false value and an “if/else” statement that branches to “else” based on that value. Accordingly, the “else” path is the normal path and the “if” path is the dark path. During correct browser execution, the JavaScript code should take this normal path regardless of user input or other runtime conditions. However, a malicious actor may use the dark path as an attack point. Dark paths may contain code that has runtime effects on the DOM. Potentially, these code paths can also emit AJAX calls to the server. Branch determiner may determine a break point during executing the branch using the artificial condition, where the JavaScript code interacts with a web server and/or makes an AJAX call.
Examining both the “if” and “else” path without regard to the runtime condition allows analysis of these dark paths and the resultant DOM mutations, network calls, dynamic JS changes, etc. Moreover, examining each of the possible paths may allow for the identification and execution of normal paths that are not obvious because, for example, some of the inputs that a user could access are not known. In the above example, the branch determiner 118 may determine that the first branch corresponds to a hard coded value (in this case the “false” value mentioned above) in the HTML page structure and determine that the first branch has a value other than the hard coded value. In some aspects, the branch determiner 118 may determine that the first branching path has two possible branches and that a first possible branch of the two possible branches is not intended to execute during runtime conditions. The branch determiner 118 may identify the first possible branch as a dark path.
Put another way, code receiver 114 may receive JavaScript code with a plurality of branch paths. Branch enumerator 116 may enumerate each branch of the plurality of branching paths in the JavaScript code. Branch determiner 118 may determine, for each branch, whether the branching path would execute during normal operation of a browser executing the JavaScript code. Branch determiner 118 may flag each branch of the branching path that would execute during normal operation as a normal path and flag each branch of the branching path that would not execute during normal operation as a dark path.
Processor 110 may execute instructions of value generator 120 to generate, for each branch not intended to be executed during runtime conditions, an unintended value for the branch. In the above example, the unintended value generated by value generator 120 may be a “true” value that cause the if/else statement to branch to “if” based on the value. Processor 110 may execute instructions of branch executor 122 to execute a first branch not intended to be executed during runtime conditions using the unintended value. Branch executor 122 may also execute branches that are intended to be executed during runtime conditions using the intended value.
Branch executor 122 may execute both normal and/or dark paths using the actual JavaScript code representing the actual client side source code, but using artificial runtime conditions. In this manner, adjustments to the DOM, AJAX calls and subsequent JS mutations may be recorded and analyzed. In JavaScript, the code can change itself and thereby lead to more correct paths and more dark paths.
Branch executor 122 may execute branches using the browser 108. The browser 108 may be a headless browser that emulates functionality of a browser without generating a graphic user interface. The browser 108 may also include a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment. Branch executor 122 may execute branches using the unintended value in a plurality of operational modes. The DOM may be adjusted based on the execution of the branch using the unintended value. The adjustment of the DOM is discussed in further detail below, in reference to FIG. 3 and method 300.
FIG. 2 is a flowchart of an example method 200 for JavaScript path enumeration. Method 200 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1, or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well. Method 200 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system. The processor may include a Central Processing Unit (CPU) or another suitable hardware processor. The machine-readable storage medium may be non-transitory. Method 200 may be implemented in the form of electronic circuitry (e.g., hardware). At least one block of method 200 may be executed substantially concurrently or in a different order than shown in FIG. 2. Method 200 may include more or less blocks than are shown in FIG. 2. Some of the blocks of method 200 may, at certain times, be ongoing and/or may repeat.
Method 200 may start at block 202 and continue to block 204, where the method may include receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code. At block 206, the method may include enumerating a branching path in the JavaScript code. At block 208, the method may include determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code.
In some aspects, determining a branch of the branching path that would not execute during normal operation may include identifying a first branch of the branching path corresponding to a hard coded value in the HTML page structure and determining that the branch of the branching path that would not execute during normal operation of a browser executing the JavaScript corresponds to a value other than the hard coded value.
In some aspects, determining a branch of the branching path that would not execute during normal operation may include determining that the branching path has two possible branches, determining that a first branch of the possible branches would not execute during normal operation of a browser executing the JavaScript code and identifying the first branch as a dark path.
At block 210, the method may include generating an artificial condition for the branch and at block 212, the method may include executing the branch using the artificial condition. The execution may be performed by a headless browser that emulates functionality of a browser without generating a graphic user interface. The browser may a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment. The branch may be executed in the plurality of operational modes. Method 200 may eventually continue to block 214, where method 200 may stop.
FIG. 3 is a flowchart of an example method 300 for DOM tracking and adjustment. Method 300 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1, or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well. Method 300 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system. The processor may include a Central Processing Unit (CPU) or another suitable hardware processor. The machine-readable storage medium may be non-transitory. Method 300 may be implemented in the form of electronic circuitry (e.g., hardware). At least one block of method 300 may be executed substantially concurrently or in a different order than shown in FIG. 3. Method 300 may include more or less blocks than are shown in FIG. 3. Some of the blocks of method 300 may, at certain times, be ongoing and/or may repeat.
Method 300 may start at block 302 and continue to block 304, where the method 300 may include receiving an initial DOM corresponding to an html page structure and a plurality of executable JavaScript code. The HTML page structure and plurality of executable JavaScript code may be related to or the same as the HTML page structure and plurality of executable JavaScript code discussed in block 202 above in reference to method 200 and FIG. 2.
At block 306, the method may include adjusting the initial DOM based on an artificial condition for the branch (such as the artificial condition in block 210 of method 200 in FIG. 2). At block 308, the method may include tracking state changes to the initial DOM by recording adjustments made to the DOM. Tracking state changes may include tracking the adjustment to the initial DOM based on executing the branch using the artificial condition. At block 310, the method may include restoring the initial DOM. By restoring the initial DOM, the DOM can then be adjusted based on a different branch. In this manner, the method 300 may simulate the different possible branches that can be created. Restoring the initial DOM At block 312 the method may include determining a second branch of the branching path that would execute during normal operation of a browser executing the JavaScript code. At block 314, the method may include adjusting the initial DOM based on the second branch. Method 300 may eventually continue to block 316, where method 300 may stop.
FIG. 4 is a flowchart of an example method 400 for JavaScript path enumeration. Method 400 may be described below as being executed or performed by an environment, for example environment 100 of FIG. 1, or a system, for example, system 500 of FIG. 5 described below. Other suitable systems and/or computing devices may be used as well. Method 400 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system. The processor may include a Central Processing Unit (CPU) or another suitable hardware processor. The machine-readable storage medium may be non-transitory. Method 400 may be implemented in the form of electronic circuitry (e.g., hardware). At least one block of method 400 may be executed substantially concurrently or in a different order than shown in FIG. 4. Method 400 may include more or less blocks than are shown in FIG. 4. Some of the blocks of method 400 may, at certain times, be ongoing and/or may repeat.
Method 400 may start at block 402 and continue to block 404, where the method 400 may include determining a plurality of branching paths in the JavaScript code. At block 406, the method may include enumerating each branch of the plurality of branching paths in the JavaScript code. At block 408, the method may include determining, for each branch, whether the branching path that would not execute during normal operation of a browser executing the JavaScript code. If it is determined that a branch would execute during normal operation of the browser (YES branch of block 408), at block 410 the method may include flagging each branch of the branching path that would execute during normal operation as a normal path. If it is determined that a branch would not execute during normal operation of the browser (NO branch of block 408), at block 412 the method may include flagging each branch of the branching path that would not execute during normal operation as a dark path. Method 400 may eventually continue to block 414, where method 400 may stop.
By going through each branching path in this way and identifying both the normal and dark paths, method 400 may determine the paths that would not be taken during normal execution of the browser, as described above, and may also determine unknown normal paths as well. For example, there may be a path that is intended to occur, but may rarely happen due to the inputs required. Since every possible input and path may not be known, enumerating each branch in the plurality may allow for the identification and execution of each branching path in the JavaScript code.
FIG. 5 is a block diagram of an example system 500 for JavaScript path enumeration. System 500 may be similar to environment 100 of FIG. 1, for example. In the example illustrated in FIG. 5, system 500 includes a processor 502 and a machine-readable storage medium 504. Although the following descriptions refer to a single processor and a single machine-readable storage medium, the descriptions may also apply to a system with multiple processors and multiple machine-readable storage mediums. In such examples, the instructions may be distributed (e.g., stored) across multiple machine-readable storage mediums and the instructions may be distributed (e.g., executed by) across multiple processors.
Processor 502 may be at least one central processing unit (CPU), microprocessor, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 504. In the example illustrated in FIG. 5, processor 502 may fetch, decode, and execute instructions 506, 508, 510, 512 and 514 to perform JavaScript path enumeration. Processor 502 may include at least one electronic circuit comprising a number of electronic components for performing the functionality of at least one of the instructions in machine-readable storage medium 504. With respect to the executable instruction representations (e.g., boxes) described and shown herein, it should be understood that part or all of the executable instructions and/or electronic circuits included within one box may be included in a different box shown in the figures or in a different box not shown.
Machine-readable storage medium 504 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. Thus, machine-readable storage medium 504 may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), a storage drive, an optical disc, and the like. Machine-readable storage medium 504 may be disposed within system 500, as shown in FIG. 5. In this situation, the executable instructions may be “installed” on the system 500. Machine-readable storage medium 504 may be a portable, external or remote storage medium, for example, that allows system 500 to download the instructions from the portable/external/remote storage medium. In this situation, the executable instructions may be part of an “installation package”. As described herein, machine-readable storage medium 504 may be encoded with executable instructions for context aware data backup. The machine-readable storage medium may be non-transitory.
Referring to FIG. 5, page request instructions 506, when executed by a processor (e.g., 502), may cause system 500 to request an HTML page structure including executable JavaScript code. DOM create instructions 508, when executed by a processor (e.g., 502), may cause system 500 to create a document object model (DOM) with a plurality of branch paths of executions of the executable JavaScript code. Path determine instructions 510, when executed by a processor (e.g., 502), may cause system 500 to determine a branching path, belonging to the plurality, with a value that would prevent at least one branch of the branching path to execute during correct browser execution. Value replace instructions 512, when executed by a processor (e.g., 502), may cause system 500 to replace the value with a second value.
In some aspects, determining a branching path with a value that would prevent at least one branch of the branching path to execute during correct browser execution may include identifying a branch of the branching path corresponding to a hard coded value in the HTML page structure and determining that the branch of the branching path that would not execute during normal operation of a browser executing the JavaScript corresponds to a value other than the hard coded value.
In some aspects, determining a branching path with a value that would prevent at least one branch of the branching path to execute during correct browser execution may include determining that the branching path has two possible branches, determining that a first branch of the possible branches would not execute during normal operation of a browser executing the JavaScript code, identifying a value corresponding to the first branch and identifying the first branch as a dark path.
Branch execute instructions 514, when executed by a processor (e.g., 502), may cause system 500 to execute the branch using the second value. The execution may be performed by a headless browser that emulates functionality of a browser without generating a graphic user interface. The browser may a plurality of operational modes, each operational mode corresponding to the simulation of a different browser environment. The DOM may be adjusted based on the second value.
The foregoing disclosure describes a number of examples for JavaScript path enumeration. The disclosed examples may include systems, devices, computer-readable storage media, and methods for JavaScript path enumeration. For purposes of explanation, certain examples are described with reference to the components illustrated in FIGS. 1-5. The functionality of the illustrated components may overlap, however, and may be present in a fewer or greater number of elements and components. Further, all or part of the functionality of illustrated elements may co-exist or be distributed among several geographically dispersed locations. Further, the disclosed examples may be implemented in various environments and are not limited to the illustrated examples.
Further, the sequence of operations described in connection with FIGS. 1-5 are examples and are not intended to be limiting. Additional or fewer operations or combinations of operations may be used or may vary without departing from the scope of the disclosed examples. Furthermore, implementations consistent with the disclosed examples need not perform the sequence of operations in any particular order. Thus, the present disclosure merely sets forth possible examples of implementations, and many variations and modifications may be made to the described examples.

Claims (14)

The invention claimed is:
1. A method executed by at least one processor, comprising:
receiving code corresponding to an HTML page structure including a plurality of executable JavaScript code;
enumerating a branching path in the JavaScript code;
determining a branch of the branching path that would not execute during normal operation of a browser executing the JavaScript code;
generating an artificial condition for the branch;
executing the branch using the artificial condition;
receiving an initial document object model (DOM) corresponding to the HTML page structure and the plurality of executable JavaScript code;
adjusting the initial DOM based on the artificial condition for the branch;
tracking state changes to the initial DOM by recording adjustments made to the initial DOM, including the adjusting of the initial DOM based on the executing of the branch using the artificial condition;
after the adjusting of the initial DOM, restoring the initial DOM;
determining a second branch of the branching path that would execute during the normal operation of the browser executing the JavaScript code; and
adjusting the initial DOM based on the second branch.
2. The method of claim 1, wherein determining that the branch of the branching path would not execute during the normal operation of the browser executing the JavaScript code comprises identifying, by the at least one processor, a branch of the branching path corresponding to a hard coded value in the HTML page structure.
3. The method of claim 1, wherein the executing of the branch using the artificial condition is performed by a headless browser that emulates functionality of the browser without generating a graphic user interface.
4. The method of claim 3, comprising:
executing, by the at least one processor, the branch using the artificial condition in a plurality of operational modes, each operational mode corresponding to a simulation of a different browser environment.
5. The method of claim 1, comprising:
determining, by the at least one processor, a plurality of branching paths in the JavaScript code;
enumerating, by the at least one processor, the plurality of branching paths in the JavaScript code;
determining, by the at least one processor, a branch of each respective branching path that would not execute during the normal operation of the browser executing the JavaScript code;
flagging, by the at least one processor, each branch of the respective branching path that would execute during the normal operation as a normal path; and
flagging, by the at least one processor, each branch of the respective branching path that would not execute during the normal operation as a dark path.
6. The method of claim 1, comprising:
determining, by the at least one processor, a break point during the executing of the branch using the artificial condition, where the JavaScript code interacts with a web server.
7. The method of claim 1, comprising:
determining, by the at least one processor, that the branching path has two possible branches;
determining, by the at least one processor, that a first branch of the possible branches would not execute during the normal operation of the browser executing the JavaScript code; and
identifying, by the at least one processor, the first branch as a dark path.
8. A system comprising:
a processor; and
a non-transitory storage medium storing instructions executable on the processor to:
receive code corresponding to an HTML page structure;
enumerate a plurality of branching paths of executable JavaScript code included in the HTML page structure;
determine, for a first branching path of the plurality of branching paths, a given branch of the first branching path that is not intended to execute during runtime conditions;
generate, for the given branch, an unintended value for the given branch;
execute the given branch using the unintended value;
receive an initial document object model (DOM) corresponding to the HTML page structure and the JavaScript code;
adjust the initial DOM based on execution of the given branch using the unintended value;
track state changes to the initial DOM by recording adjustments made to the initial DOM, including the adjusting of the initial DOM based on executing the given branch using the unintended value;
after the adjusting of the initial DOM, restore the initial DOM;
determine a further branch of the first branching path that would execute during the runtime conditions; and
adjusting the initial DOM based on the further branch.
9. The system of claim 8, wherein determining that the given branch of the first branching path would not execute during the runtime conditions comprises identifying a branch that corresponds to a hard coded value in the HTML page structure and determining that the given branch has a value other than the hard coded value.
10. The system of claim 8, wherein the instructions are executable on the processor to:
determine a break point where the JavaScript code interacts with a web server.
11. The system of claim 8, wherein the instructions are executable on the processor to:
determine that the first branching path has two possible branches;
determine that a first possible branch of the two possible branches is not intended to execute during the runtime conditions; and
identify the first possible branch as a dark path.
12. The system of claim 8, wherein the instructions are executable on the processor to execute the given branch using the unintended value using a headless browser that emulates functionality of the headless browser without generating a graphic user interface.
13. A non-transitory machine-readable storage medium encoded with instructions, the instructions upon execution causing a system to:
receive an HTML page structure including executable JavaScript code;
create a document object model (DOM) with a plurality of branching paths of executions of the executable JavaScript code;
determine a first branching path, of the plurality of branching paths, with a first value that would prevent a branch of the first branching path from executing during correct browser execution;
replace the first value with a second value;
execute the branch using the second value;
adjust the DOM based on executing the branch using the second value;
track state changes to the DOM by recording adjustments made to the DOM, including the adjusting of the DOM based on executing the branch using the second value;
after the adjusting of the DOM, restore the DOM;
determine a further value that would cause the branch to execute during the correct browser execution; and
adjust the DOM based on the further value.
14. The non-transitory machine-readable storage medium of claim 13, wherein the instructions upon execution cause the system to:
enumerate the plurality of branching paths in the JavaScript code;
determine a branch of each respective branching path that would execute during the correct browser execution;
flag the branch of the respective branching path that would execute during the correct browser execution as a normal path; and
flag the branch of the respective branching path that would not execute during the correct browser execution as a dark path.
US15/686,388 2016-09-09 2017-08-25 Javascript path enumeration Active 2037-09-14 US10394698B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/686,388 US10394698B2 (en) 2016-09-09 2017-08-25 Javascript path enumeration

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662385540P 2016-09-09 2016-09-09
US15/686,388 US10394698B2 (en) 2016-09-09 2017-08-25 Javascript path enumeration

Publications (2)

Publication Number Publication Date
US20180074943A1 US20180074943A1 (en) 2018-03-15
US10394698B2 true US10394698B2 (en) 2019-08-27

Family

ID=59887016

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/686,388 Active 2037-09-14 US10394698B2 (en) 2016-09-09 2017-08-25 Javascript path enumeration

Country Status (3)

Country Link
US (1) US10394698B2 (en)
EP (1) EP3293662A1 (en)
CN (1) CN107808097A (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11782816B2 (en) 2019-03-19 2023-10-10 Jens C. Jenkins Input/output location transformations when emulating non-traced code with a recorded execution of traced code
US11281560B2 (en) 2019-03-19 2022-03-22 Microsoft Technology Licensing, Llc Input/output data transformations when emulating non-traced code with a recorded execution of traced code

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090089759A1 (en) 2007-10-02 2009-04-02 Fujitsu Limited System and Method for Providing Symbolic Execution Engine for Validating Web Applications
US20090187918A1 (en) * 2008-01-18 2009-07-23 Microsoft Corporation Methods and apparatus for securing frames from other frames
US20130219368A1 (en) 2010-08-10 2013-08-22 International Business Machines Corporation Automatically Testing a Web Application
US8868533B2 (en) * 2006-06-30 2014-10-21 International Business Machines Corporation Method and apparatus for intelligent capture of document object model events
US8949994B2 (en) 2011-05-31 2015-02-03 International Business Machines Corporation Detecting persistent vulnerabilities in web applications
US20150163237A1 (en) 2013-12-11 2015-06-11 International Business Machines Corporation Testing web applications for security vulnerabilities with metarequests
US20150186342A1 (en) 2013-12-26 2015-07-02 International Business Machines Corporation Comparing webpage elements having asynchronous functionality
US9098636B2 (en) 2013-12-18 2015-08-04 Software Ag White-box testing systems and/or methods in web applications
US9135147B2 (en) 2012-04-26 2015-09-15 International Business Machines Corporation Automated testing of applications with scripting code
US9208235B1 (en) 2013-03-11 2015-12-08 Symantec Corporation Systems and methods for profiling web applications
WO2016060110A1 (en) 2014-10-14 2016-04-21 日本電信電話株式会社 Analysis device, analysis method, and analysis program

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286132B (en) * 2008-06-02 2010-09-08 北京邮电大学 Test method and system based on software defect mode
CN104503901B (en) * 2014-12-04 2017-08-25 中国人民解放军总参谋部第五十四研究所 A kind of guiding symbolic excution methodology analyzed based on static path
CN104572476B (en) * 2015-01-30 2017-06-30 南京邮电大学 A kind of infeasible paths detection method based on program slice
CN104750608B (en) * 2015-03-25 2017-10-27 南京大学 A kind of automatic location of mistake method performed in program based on dynamic symbol

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8868533B2 (en) * 2006-06-30 2014-10-21 International Business Machines Corporation Method and apparatus for intelligent capture of document object model events
US20090089759A1 (en) 2007-10-02 2009-04-02 Fujitsu Limited System and Method for Providing Symbolic Execution Engine for Validating Web Applications
US20090187918A1 (en) * 2008-01-18 2009-07-23 Microsoft Corporation Methods and apparatus for securing frames from other frames
US20130219368A1 (en) 2010-08-10 2013-08-22 International Business Machines Corporation Automatically Testing a Web Application
US8949994B2 (en) 2011-05-31 2015-02-03 International Business Machines Corporation Detecting persistent vulnerabilities in web applications
US9135147B2 (en) 2012-04-26 2015-09-15 International Business Machines Corporation Automated testing of applications with scripting code
US9208235B1 (en) 2013-03-11 2015-12-08 Symantec Corporation Systems and methods for profiling web applications
US20150163237A1 (en) 2013-12-11 2015-06-11 International Business Machines Corporation Testing web applications for security vulnerabilities with metarequests
US9098636B2 (en) 2013-12-18 2015-08-04 Software Ag White-box testing systems and/or methods in web applications
US20150186342A1 (en) 2013-12-26 2015-07-02 International Business Machines Corporation Comparing webpage elements having asynchronous functionality
WO2016060110A1 (en) 2014-10-14 2016-04-21 日本電信電話株式会社 Analysis device, analysis method, and analysis program
EP3190536A1 (en) 2014-10-14 2017-07-12 Nippon Telegraph and Telephone Corporation Analysis device, analysis method, and analysis program

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
Aydin, A., et al., Automated Test Generation From Vulnerability Signatures, University of California, Jan. 29, 2014, 10 pages.
Duersen, A.V., et al., Crawl-based Analysis of Web Applications: Prospects and Challenges, Delft University of Technology, Technical Report Series, Report TUD-SERG2014-015, Sep. 15, 2014. 14 pages.
European Patent Office, Extended European Search Report for Appl. No. 17189702.8 dated Nov. 3, 2017 (6 pages).
Haroon, S.M., et al., Plug-ins an Added Component for Automatic Testing of Modern Web Applications, IJARCET, vol. 4, Issue 2, Feb. 2015, pp. 562-567.
Kartik Bajaj et al., Dompletion: DOM-aware JavaScript code completion, ACM, 2014, retrieved online on May 13, 2019, pp. 43-54. Retrieved from the Internet: <URL: http://delivery.acm.org/10.1145/2650000/2642981/p43-bajaj.pdf?>. (Year: 2014). *
Mesbah, A., et al., Invariant-based Automatic Testing of Modern Web Applications, Delft University of Technology, Technical Report Series, Report TUD-SERG-2011-003, 2011, 24 pages.
Saxena, P., et al., A Symbolic Execution Framework for JavaScript, University of California, May 11, 2010, 18 pages.
Zheng, Y., et al., Path Sensitive Static Analysis of Web Applications for Remote Code Execution Vulnerability Detection, Purdue University, Aug. 17, 2012, 10 pages.

Also Published As

Publication number Publication date
CN107808097A (en) 2018-03-16
EP3293662A1 (en) 2018-03-14
US20180074943A1 (en) 2018-03-15

Similar Documents

Publication Publication Date Title
US11716348B2 (en) Malicious script detection
EP3287930A1 (en) Javascript security testing
US9882923B2 (en) Automatic context-sensitive sanitization
US8881278B2 (en) System and method for detecting malicious content
US20170316202A1 (en) Rasp for scripting languages
US9774620B2 (en) Automatic code and data separation of web application
US20150310193A1 (en) Control flow flattening for code obfuscation where the next block calculation needs run-time information
US8572747B2 (en) Policy-driven detection and verification of methods such as sanitizers and validators
US11888885B1 (en) Automated security analysis of software libraries
US11310259B2 (en) Cybersecurity architectural network based on artificial intelligence
US9405936B2 (en) Code integrity protection by computing target addresses from checksums
US10394698B2 (en) Javascript path enumeration
US20240143739A1 (en) Intelligent obfuscation of mobile applications
US20170185784A1 (en) Point-wise protection of application using runtime agent
Xiao et al. Detection and prevention of code injection attacks on HTML5-based apps
CN111753302A (en) Method and device for detecting code bugs, computer readable medium and electronic equipment
EP2937803A1 (en) Control flow flattening for code obfuscation where the next block calculation needs run-time information
US8863292B2 (en) Interactive analysis of a security specification
Patil et al. Automated Client-side Sanitizer for Code Injection Attacks
Ablahd Using python to detect web application vulnerability
CN115688108B (en) Webshell static detection method and system
Elsayed et al. IFCaaS: information flow control as a service for cloud security
CN111767548A (en) Vulnerability capturing method, device, equipment and storage medium
Hamou-Lhadj et al. Software behaviour correlation in a redundant and diverse environment using the concept of trace abstraction
CN114880667A (en) Script detection method and device

Legal Events

Date Code Title Description
AS Assignment

Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WILLIAMS, KEVIN ALLEN;MILLAR, STEVE ALAN;HARDEMAN, STEPHEN DANIEL;SIGNING DATES FROM 20160915 TO 20160926;REEL/FRAME:043402/0556

Owner name: ENTIT SOFTWARE LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP;REEL/FRAME:043675/0001

Effective date: 20170405

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:ENTIT SOFTWARE LLC;REEL/FRAME:050004/0001

Effective date: 20190523

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:MICRO FOCUS LLC;BORLAND SOFTWARE CORPORATION;MICRO FOCUS SOFTWARE INC.;AND OTHERS;REEL/FRAME:052294/0522

Effective date: 20200401

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:MICRO FOCUS LLC;BORLAND SOFTWARE CORPORATION;MICRO FOCUS SOFTWARE INC.;AND OTHERS;REEL/FRAME:052295/0041

Effective date: 20200401

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: NETIQ CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), MARYLAND

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052295/0041;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062625/0754

Effective date: 20230131

Owner name: NETIQ CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131

Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131

Owner name: MICRO FOCUS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 052294/0522;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062624/0449

Effective date: 20230131